iptables-1.8.7-13.el9

- extensions: sctp: Fix nftables translation
- nft: Fix bitwise expression avoidance detection
- iptables-nft: fix -Z option
- Do not build legacy sub-packages on RHEL

Resolves: rhbz#1927721

0014-iptables-nft-fix-Z-option.patch

@@ -0,0 +1,104 @@
+From 176353549f03fd10c731d93e9b37aa05eb210ecb Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 24 Feb 2021 11:08:02 +0100
+Subject: [PATCH] iptables-nft: fix -Z option
+
+it zeroes the rule counters, so it needs fully populated cache.
+Add a test case to cover this.
+
+Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2)
+---
+ iptables/nft-cmd.c                            |  2 +-
+ .../testcases/iptables/0007-zero-counters_0   | 64 +++++++++++++++++++
+ 2 files changed, 65 insertions(+), 1 deletion(-)
+ create mode 100755 iptables/tests/shell/testcases/iptables/0007-zero-counters_0
+
+diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
+index 8dccdd734b156..a0c76a795e59c 100644
+--- a/iptables/nft-cmd.c
++++ b/iptables/nft-cmd.c
+@@ -188,7 +188,7 @@ int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain,
+ 	if (!cmd)
+ 		return 0;
+ 
+-	nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
++	nft_cache_level_set(h, NFT_CL_RULES, cmd);
+ 
+ 	return 1;
+ }
+diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
+new file mode 100755
+index 0000000000000..36da1907e3b22
+--- /dev/null
++++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
+@@ -0,0 +1,64 @@
++#!/bin/bash
++
++RC=0
++COUNTR=$RANDOM$RANDOM
++
++$XT_MULTI iptables-restore -c <<EOF
++*filter
++:INPUT ACCEPT [1:23]
++:FOO - [0:0]
++[12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
++[22:123] -A FOO -m comment --comment one
++[44:123] -A FOO -m comment --comment two
++COMMIT
++EOF
++EXPECT="*filter
++:INPUT ACCEPT [0:0]
++:FORWARD ACCEPT [0:0]
++:OUTPUT ACCEPT [0:0]
++:FOO - [0:0]
++[0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
++[0:0] -A FOO -m comment --comment one
++[0:0] -A FOO -m comment --comment two
++COMMIT"
++
++COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
++if [ $COUNTER != "[12:345]" ]; then
++	echo "Counter $COUNTER is wrong, expected 12:345"
++	RC=1
++fi
++
++$XT_MULTI iptables -Z FOO
++COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
++if [ $COUNTER = "[0:0]" ]; then
++	echo "Counter $COUNTER is wrong, should not have been zeroed"
++	RC=1
++fi
++
++for c in one two; do
++	COUNTER=$($XT_MULTI iptables-save -c |grep "comment $c"| cut -f 1 -d " ")
++	if [ $COUNTER != "[0:0]" ]; then
++		echo "Counter $COUNTER is wrong, should have been zeroed at rule $c"
++		RC=1
++	fi
++done
++
++$XT_MULTI iptables -Z
++COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
++
++if [ $COUNTER != "[0:0]" ]; then
++	echo "Counter $COUNTER is wrong, expected 0:0 after -Z"
++	RC=1
++fi
++
++diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save -c | grep -v '^#')
++if [ $? -ne 0 ]; then
++	echo "Diff error: counters were not zeroed"
++	RC=1
++fi
++
++$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR"
++$XT_MULTI iptables -D FOO -m comment --comment one
++$XT_MULTI iptables -D FOO -m comment --comment two
++$XT_MULTI iptables -X FOO
++exit $RC
+-- 
+2.31.1
+

0015-nft-Fix-bitwise-expression-avoidance-detection.patch

@@ -0,0 +1,73 @@
+From 5462c9908a3b2ba94fc4cf5c6cd0d5ed296093c5 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 19 Feb 2021 16:54:57 +0100
+Subject: [PATCH] nft: Fix bitwise expression avoidance detection
+
+Byte-boundary prefix detection was too sloppy: Any data following the
+first zero-byte was ignored. Add a follow-up loop making sure there are
+no stray bits in the designated host part.
+
+Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 330f5df03ad589b46865ceedf2a54cf10a4225ba)
+---
+ iptables/nft-shared.c                         |  4 +++-
+ .../testcases/ip6tables/0004-address-masks_0  | 24 +++++++++++++++++++
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+ create mode 100755 iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
+
+diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
+index 10553ab26823b..c1664b50f9383 100644
+--- a/iptables/nft-shared.c
++++ b/iptables/nft-shared.c
+@@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
+ {
+ 	const unsigned char *m = mask;
+ 	bool bitwise = false;
+-	int i;
++	int i, j;
+ 
+ 	for (i = 0; i < len; i++) {
+ 		if (m[i] != 0xff) {
+@@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
+ 			break;
+ 		}
+ 	}
++	for (j = i + 1; !bitwise && j < len; j++)
++		bitwise = !!m[j];
+ 
+ 	if (!bitwise)
+ 		len = i;
+diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
+new file mode 100755
+index 0000000000000..7eb42f08da975
+--- /dev/null
++++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
+@@ -0,0 +1,24 @@
++#!/bin/bash
++
++set -e
++
++$XT_MULTI ip6tables-restore <<EOF
++*filter
++-A FORWARD -s feed:babe::/ffff::0
++-A FORWARD -s feed:babe::/ffff:ff00::0
++-A FORWARD -s feed:babe::/ffff:fff0::0
++-A FORWARD -s feed:babe::/ffff:ffff::0
++-A FORWARD -s feed:babe::/0:ffff::0
++-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0
++COMMIT
++EOF
++
++EXPECT='-P FORWARD ACCEPT
++-A FORWARD -s feed::/16
++-A FORWARD -s feed:ba00::/24
++-A FORWARD -s feed:bab0::/28
++-A FORWARD -s feed:babe::/32
++-A FORWARD -s 0:babe::/0:ffff::
++-A FORWARD -s feed::babe:0/ffff::ffff:0'
++
++diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD)
+-- 
+2.31.1
+

0016-extensions-sctp-Fix-nftables-translation.patch

@@ -0,0 +1,80 @@
+From c9c2e55eb6cebdb8d17cf0c8267a1eb3e8fb6e07 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 4 May 2021 16:03:24 +0200
+Subject: [PATCH] extensions: sctp: Fix nftables translation
+
+If both sport and dport was present, incorrect nft syntax was generated.
+
+Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167)
+---
+ extensions/libxt_sctp.c      | 10 ++++------
+ extensions/libxt_sctp.txlate | 10 +++++-----
+ 2 files changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
+index 59b34684cc7f7..5ec1ca618405e 100644
+--- a/extensions/libxt_sctp.c
++++ b/extensions/libxt_sctp.c
+@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
+ 	if (!einfo->flags)
+ 		return 0;
+ 
+-	xt_xlate_add(xl, "sctp ");
+-
+ 	if (einfo->flags & XT_SCTP_SRC_PORTS) {
+ 		if (einfo->spts[0] != einfo->spts[1])
+-			xt_xlate_add(xl, "sport%s %u-%u",
++			xt_xlate_add(xl, "sctp sport%s %u-%u",
+ 				     einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
+ 				     einfo->spts[0], einfo->spts[1]);
+ 		else
+-			xt_xlate_add(xl, "sport%s %u",
++			xt_xlate_add(xl, "sctp sport%s %u",
+ 				     einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
+ 				     einfo->spts[0]);
+ 		space = " ";
+@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
+ 
+ 	if (einfo->flags & XT_SCTP_DEST_PORTS) {
+ 		if (einfo->dpts[0] != einfo->dpts[1])
+-			xt_xlate_add(xl, "%sdport%s %u-%u", space,
++			xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
+ 				     einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
+ 				     einfo->dpts[0], einfo->dpts[1]);
+ 		else
+-			xt_xlate_add(xl, "%sdport%s %u", space,
++			xt_xlate_add(xl, "%ssctp dport%s %u", space,
+ 				     einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
+ 				     einfo->dpts[0]);
+ 	}
+diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
+index 72f4641ab021c..0d6c59e183675 100644
+--- a/extensions/libxt_sctp.txlate
++++ b/extensions/libxt_sctp.txlate
+@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
+ nft add rule ip filter INPUT sctp dport != 50-56 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
++nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
++nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
++nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
+ 
+ iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
++nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
++nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
+-- 
+2.31.1
+

iptables.spec

@@ -7,11 +7,14 @@
 %global iptc_so_ver  0
 %global ipXtc_so_ver 2
 
+# build legacy sub-packages only on non-rhel distributions
+%global do_legacy_pkg ! 0%{?rhel}
+
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 12%{?dist}
+Release: 13%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -37,6 +40,9 @@ Patch10: 0010-iptables-apply-Drop-unused-variable.patch
 Patch11: 0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch
 Patch12: 0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch
 Patch13: 0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch
+Patch14: 0014-iptables-nft-fix-Z-option.patch
+Patch15: 0015-nft-Fix-bitwise-expression-avoidance-detection.patch
+Patch16: 0016-extensions-sctp-Fix-nftables-translation.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic 2.0
@@ -353,6 +359,8 @@ if [ $1 -eq 0 ]; then
 	done
 fi
 
+%if %{do_legacy_pkg}
+
 %files legacy
 %doc INCOMPATIBILITIES
 %{_sbindir}/ip{,6}tables-legacy*
@@ -362,6 +370,21 @@ fi
 %{_mandir}/man8/xtables-legacy*
 %ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
 
+%files legacy-libs
+%license COPYING
+%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
+
+%files legacy-devel
+%dir %{_includedir}/libiptc
+%{_includedir}/libiptc/*.h
+%{_libdir}/libip*tc.so
+%{_libdir}/pkgconfig/libip{,4,6}tc.pc
+
+# do_legacy_pkg
+%else
+%define _unpackaged_files_terminate_build 0
+%endif
+
 %files libs
 %license COPYING
 %{_libdir}/libxtables.so.12*
@@ -370,21 +393,11 @@ fi
 %{_mandir}/man8/ip{,6}tables.8.gz
 %{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz
 
-%files legacy-libs
-%license COPYING
-%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
-
 %files devel
 %{_includedir}/xtables{,-version}.h
 %{_libdir}/libxtables.so
 %{_libdir}/pkgconfig/xtables.pc
 
-%files legacy-devel
-%dir %{_includedir}/libiptc
-%{_includedir}/libiptc/*.h
-%{_libdir}/libip*tc.so
-%{_libdir}/pkgconfig/libip{,4,6}tc.pc
-
 %files services
 %dir %{script_path}
 %{script_path}/ip{,6}tables.init
@@ -432,6 +445,12 @@ fi
 
 
 %changelog
+* Wed Jun 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-13
+- extensions: sctp: Fix nftables translation
+- nft: Fix bitwise expression avoidance detection
+- iptables-nft: fix -Z option
+- Do not build legacy sub-packages on RHEL
+
 * Thu Jun 10 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-12
 - arptables-nft-helper: Remove bashisms
 - ebtables-helper: Drop unused variable, add a missing quote